Google is making it even harder to accidentally install a malicious plugin. The company recently announced new changes to the way Google services handle plugins, adding new warnings for users and a more involved verification system for apps. The result is more scrutiny on apps plugging into Google services, and more active involvement from Google when an app seems suspicious.

The changes come after a sophisticated phishing worm hit Google Drive users in May, masquerading as an invitation to collaborate on a document. The malicious plugin was not controlled by Google, but because it was named “Google Docs,” the app was able to fool many users into granting access. Once granted access, it sent a new request to everyone in the target’s contact list, allowing the app to spread virally. Ultimately, the app was blacklisted by Google, but not before it reached tens of thousands of users.

Today, such an attack would be much harder to perform. Shortly after the worm, Google strengthened its developer registration systems, making it harder for anonymous actors to plug unknown apps into Google accounts. The latest announcement takes that system even farther by warning users whenever an unverified app requests access to user data.

Malicious or compromised plugins remain a significant security risk for Google and other platforms, as a string of recent incidents have demonstrated. An active social media user might have hundreds of plugins authorized to access their Twitter or Facebook account, giving hackers hundreds of potential ways in. Users can protect against these attacks by monitoring authorized applications and revoking access for any apps they no longer use.